CVE-2024-50609 Overview
CVE-2024-50609 is a null pointer dereference vulnerability in Fluent Bit 3.1.9, an open-source log processor and forwarder maintained by Treasure Data. The flaw resides in the OpenTelemetry input plugin, specifically in the process_payload_traces_proto_ng() function within opentelemetry_prot.c. A remote unauthenticated attacker can send an HTTP packet with Content-Length: 0 to the listening endpoint, triggering a crash of the Fluent Bit service. The vulnerability is categorized under [CWE-476] Null Pointer Dereference and enables a remote Denial of Service (DoS) condition against telemetry pipelines.
Critical Impact
An unauthenticated network attacker can crash Fluent Bit instances running the OpenTelemetry input plugin by sending a single crafted HTTP request, disrupting log and trace ingestion across observability pipelines.
Affected Products
- Treasure Data Fluent Bit version 3.1.9
- Deployments using the OpenTelemetry input plugin
- Container and Kubernetes environments running affected Fluent Bit releases
Discovery Timeline
- 2025-02-18 - CVE-2024-50609 published to NVD
- 2025-04-22 - Last updated in NVD database
Technical Details for CVE-2024-50609
Vulnerability Analysis
The vulnerability affects Fluent Bit when the OpenTelemetry input plugin is configured to listen on an IP address and port for incoming telemetry data. When the plugin receives an HTTP request, it parses the Content-Length header to determine the size of the payload buffer. The parsing logic fails to validate the case where Content-Length equals zero before proceeding to downstream processing functions.
The crash originates in process_payload_traces_proto_ng() inside opentelemetry_prot.c. When a zero-length value is passed to the cfl_sds_len function, the function attempts to cast a NULL pointer into a struct cfl_sds. Dereferencing this NULL pointer terminates the Fluent Bit process and halts all telemetry ingestion.
Root Cause
The root cause is missing input validation on the Content-Length HTTP header. The OpenTelemetry input handler assumes a non-zero, valid payload length before invoking string descriptor helpers. The cfl_sds_len utility expects a valid cfl_sds pointer but receives NULL when the payload buffer was never allocated due to the zero-length request.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. Any attacker with reachability to the OpenTelemetry input port can send a single HTTP request with Content-Length: 0 to crash the service. In environments where Fluent Bit endpoints are exposed beyond a trusted network boundary, the attack surface extends to any reachable client. A single malformed packet, similar to POST /v1/traces HTTP/1.1\r\nContent-Length: 0\r\n\r\n, is sufficient to trigger the NULL pointer dereference in process_payload_traces_proto_ng(). Refer to the Ebryx Blog Analysis on CVEs for additional technical context.
Detection Methods for CVE-2024-50609
Indicators of Compromise
- Unexpected termination or restart of the fluent-bit process on hosts running the OpenTelemetry input plugin
- HTTP requests targeting the OpenTelemetry listener with Content-Length: 0 headers, particularly to /v1/traces, /v1/logs, or /v1/metrics endpoints
- Gaps in trace, log, or metric ingestion correlated with crash events in container orchestrator logs
Detection Strategies
- Monitor the Fluent Bit process lifecycle and alert on abnormal exit codes or repeated restarts by supervisor processes such as systemd or Kubernetes
- Inspect network telemetry for inbound HTTP requests to OpenTelemetry plugin ports containing zero-length payloads from untrusted sources
- Correlate Fluent Bit service interruptions with upstream HTTP access logs to identify the source IP of malformed requests
Monitoring Recommendations
- Enable health checks and liveness probes on Fluent Bit containers to surface crash loops quickly
- Aggregate Fluent Bit stderr and stdout to a separate logging pipeline so crash diagnostics survive the process termination
- Track the version inventory of Fluent Bit deployments across the environment to identify vulnerable 3.1.9 instances
How to Mitigate CVE-2024-50609
Immediate Actions Required
- Upgrade Fluent Bit to a patched release later than 3.1.9 as documented in the Fluent Bit Release Notes
- Restrict network access to the OpenTelemetry input plugin port using firewall rules, security groups, or Kubernetes NetworkPolicies
- Place the OpenTelemetry endpoint behind a reverse proxy or API gateway that validates Content-Length headers and rejects malformed requests
Patch Information
Treasure Data and the Fluent Bit maintainers have released fixed versions following 3.1.9. Consult the Fluent Bit Announcements page and the Fluent Bit Release Notes for the specific patched version and changelog. The fix introduces explicit validation of the Content-Length value before invoking cfl_sds_len in process_payload_traces_proto_ng().
Workarounds
- Disable the OpenTelemetry input plugin if it is not required by the deployment configuration
- Bind the OpenTelemetry listener to a loopback interface or internal-only network segment when external ingestion is not needed
- Deploy a request-filtering proxy that drops HTTP requests with Content-Length: 0 directed at the OpenTelemetry endpoint
# Configuration example: restrict OpenTelemetry input to loopback and disable if unused
[INPUT]
Name opentelemetry
Listen 127.0.0.1
Port 4318
# Remove this [INPUT] block entirely if OpenTelemetry ingestion is not required
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
